Hello,
hi all,
i am writing a kernel mode driver and i want my
driver to connect to my server which is running. i
don’t want to use lpc but i want to send some
message to my server. how should attack the problem.
You can use a combination of shared memory and event
objects for communicating between your driver and the
server.
secondly i have hooked up CreateFile and hence i
have a func pointer to its old vector. i want to
call old createfile with a different set of
arguments. but when i call it, it returns with
STATUS_NO_ACCESS (0XC0000005) error. this problem
dos’nt occur when i call ZwCreateFile again. i am
looking for a reason for this and probably a
solution.
kiran
I assume that you have hooked NtCreateFile system
service by patching the service descriptor table.
Here is the reason why you get access denied error.
When the system service is invoked, the INT 2Eh
handler saves the caller mode (user/kernel) in thread
data structure. The caller mode is found by looking at
the value of CS selector on stack. All the system
services validates the parameters if the caller mode
is user mode. The validation includes checking for
kernel space pointers (upper 2GB) being passed by user
mode code. Since, you are modifying the arguments in
your driver, you are probably passing kernel space
pointer parameters to a original system service.
Hence, original system service thinks that kernel
space pointers are passed by user mode code, hence, it
returns you access denied error.
When you use ZwCreateFile inside your driver, it again
results in INT 2Eh. However, this time, INT 2Eh
handler sees that the call is originated from kernel
mode and it updates the field in thread data
accordingly. When original system service is called,
it does not perform any validation, since the call is
originated from kernel mode and hence it works.
However, note that it is very risky to call
ZwCreateFile without performing parameter validation,
since it can result in system crash if some program
passes bad parameters.
Considering the above: you have two choices
-
You call ZwCreateFile but make sure that you
validate call the parameters just like NT system
services validates parameters. You will also need to
take care of re-entracy. Because, calling ZwCreateFile
will again end up in your code.
-
For all the pointer parameters, you are modifying,
allocate a user space memory to hold that data and
then call the original system service. This memory can
be allocated either using ZwAllocateVirtualMemory or
from process heap (if calling process has one).
Hope this helps.
-Prasad
You are currently subscribed to ntdev as:
xxxxx@yahoo.com
To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com